NBSVTOOL(1) | General Commands Manual | NBSVTOOL(1) |
nbsvtool
— create
and verify detached signatures of files
nbsvtool |
[-v ] [-a
anchor-certificates] [-c
certificate-chain] [-f
certificate-file] [-k
private-key-file] [-u
required-key-usage] command
args ... |
nbsvtool
is used to create and verify
detached X509 signatures of files. Private keys and certificates are
expected to be PEM encoded, signatures are in PEM/SMIME format.
Supported commands:
-f
and -k
are required for
this command.-u
code.Supported options:
-a
anchor-certificates-c
certificate-chain-f
certificate-file-k
.-k
private-key-file-u
required-key-usage-v
The nbsvtool
utility exits 0 on
success, and >0 if an error occurs.
Create signature file hello.sp7 for file hello. The private key is found in file key, the matching certificate is in cert, additional certificates from cert-chain are included in the created signature.
nbsvtool -k key -f cert -c cert-chain
sign hello hello.sp7
Verify that the signature hello.sp7 is valid for file hello and that the signing certificate allows code signing. Certificates in anchor-file are considered trusted, and there must be a certificate chain from one of those certificates to the signing certificate.
nbsvtool -a anchor-file verify-code
hello hello.sp7
As there is currently no default trust anchor, you must explicilty
specify one with -a
, otherwise no verification can
succeed.
March 11, 2009 | NetBSD 10.99 |